Detecting Coercive Lures with OCR

Posted on 2020-05-12 by Josiah Smith
InQuest Deep File Inspection (DFI) utilizes machine vision and optical character recognition (OCR) to identify the social engineering component of a variety of malware lures. This is one of the myriads of techniques that we employ to detect novel malware that may leverage previous unseen and undetectable tactics. Acknowledging that phishing is still the predominant access vector for threat actors to carry out their attacks, it is irresponsible to think that it is possible to "Squish the Phish" or get that "click rate" down to zero. In respect to the colloquial security proverb, "Prevention is ideal, but detection is a must", InQuest has been following a variety of different techniques used in malicious documents. On a consistent basis, threat actors are trying to convince the unbeknownst user into "enabling macros" or "enabling content" in order to progress down the attack chain. Typically, these documents contain a macro called "Auto_Open" or "Document_Open", but it could really be any one of a dozen or so canonical names that cause Microsoft Office to automatically execute the macro once the document is opened.
Over the last two years, we have published technical blogs covering in-depth analysis on some techniques used within these maldocs. Generally, they had low AV detection rates and were vehemently obfuscated to cause frustration to analysts and security products.
  • [Extracting "Sneaky" Excel XLM Macros](https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files)
  • [Getting Sneakier: Hidden Sheets, Data Connections, and XLM Macros](https://inquest.net/blog/2020/03/18/Getting-Sneakier-Hidden-Sheets-Data-Connections-and-XLM-Macros)
  • [ZLoader 4.0 Macrosheets Evolution](https://inquest.net/blog/2020/05/06/ZLoader-4.0-Macrosheets-Evolution)
  • One successful InQuest signature, "Document Containing Macro Execution Coercion", is described as Microsoft Office document malware carriers that attempt to coerce the user into activating malicious content through on-screen instruction. In some environments, macros are disabled within Microsoft Office, and therefore malicious macros will not be executed by default. Threat actors use different types of lure messages in an attempt to convince users to enable macros so malicious code can be executed. The severity of this event will increase in the presence of other alerts, for example, those pertaining to automatic macro execution, obfuscation, and other suspicious attributes.

    Value of OCR

    There is appreciable value returned when combining OCR with the DFI process. After the OCR strips the text from the images, de-facto or user-defined threat detection signatures can alert on the text from within the image. For example, deduced text strings in the form of "enable content " or "office version isn't compatible" are frequently used in these documents. Of note, another use case in this scenario could be data-loss detection identifying PII, PHI, PCI, or other sensitive information InQuest Labs consistently sources the strings found in these lures to keep our signatures up to date. Our user base and in-house security engineers have been commenting on the consistent success with this detection technique.
    Fig 2. OCR Derived Text.

    Tracking Graphical Assets Based on XMP IDs

    InQuest has been tracking the graphical assets used in the malicious documents using Adobe Extensible Metadata Platform (XMP) identifiers (IDs). As described in [Adobe XMP: Tales of an Overlooked Anchor](https://inquest.net/blog/2019/09/30/Adobe-XMP-Tales-of-an-Overlooked-Anchor), the hashes / GUIDs are used as a standard for mapping graphical asset relationships, XMP allows for tracking of both parent-child relationships and individual revisions. There are three categories of identifiers: original document, document, and instance. Generally, XMP data is stored in XML format, updated on save/copy, and embedded within the graphical asset. The following list of XMP IDs was harvested from the most common graphical lure templates:
    
        037efa89-9f85-d141-bdcb-7fc208a9471f
        25720195-077c-684a-b376-ddb0eec9490d
        4da1efc4-3be3-db47-ad6a-94bef19999d7
        5a11ba92-5aa2-dd4c-9428-76c6845a42e9
        7d130047-163d-7c4b-ad85-c450be72e18e
        8044e5c8-00df-004b-a352-8ad4178136bf
        9cb60a7b-deba-d647-b8f5-5940685d2ab5
        baebffad-e645-e048-95f1-302ea6696408
        ce1f5951-83ee-0949-a431-1a7ed96b5005
        cf388654-c5b4-264f-b9bf-723c838a6b4d
        e48fd268-0a9f-cb49-b560-b2b7bd429157
        faf5bdd5-ba3d-11da-ad31-d33d75182f1b
    
    Note that the above happen to be all in GUID format, but hash format is plausible as well.

    Gallery of Common Graphical Lure Templates

    The following gallery of lures was harvested from a variety of malware samples collected over the past 30 days. Common among these lures is that they all capable of evading common detection stacks.

    IOCs

    Adobe XMP IDs

    • 037efa89-9f85-d141-bdcb-7fc208a9471f
    • 25720195-077c-684a-b376-ddb0eec9490d
    • 4da1efc4-3be3-db47-ad6a-94bef19999d7
    • 5a11ba92-5aa2-dd4c-9428-76c6845a42e9
    • 7d130047-163d-7c4b-ad85-c450be72e18e
    • 8044e5c8-00df-004b-a352-8ad4178136bf
    • 9cb60a7b-deba-d647-b8f5-5940685d2ab5
    • baebffad-e645-e048-95f1-302ea6696408
    • ce1f5951-83ee-0949-a431-1a7ed96b5005
    • cf388654-c5b4-264f-b9bf-723c838a6b4d
    • e48fd268-0a9f-cb49-b560-b2b7bd429157
    • faf5bdd5-ba3d-11da-ad31-d33d75182f1b

    Selected Malicious Document Hashes

    • 0090e624ffc2118731d55fc87660b78977b3f8c975006b1e58df03e8a134cc4f
    • 01b9b8580230a33a84fa39cf8238fef4d428cd9cf83f9acfb449626ee5b8ea8c
    • 085f24ef9e41fec40b75dee7b0e60b224b7391c2affd09f9c92f7a9b6b212acd
    • 0a3f4bef77abc93874f79e197e9c99c68b4bd381a65b5a027843c9f789d4dab2
    • 0a4796f99b42925351f3e135e4ca229328970c06cfcb2294e9aa8c58c33ae986
    • 0b39948f16ff05f5cd0e0b5d87ee426a671c520affa09ad0c33a612e76643a1c
    • 0cea6df5c4d704c6ed962864ea64f453dd13b582f22033e0e1487bd104763cf0
    • 0f52267f087eb6c00daf328f145368e495ccf8252ed84699c5f2d3a4203d8708
    • 10f79daf80a8c4c608fb6cfa7e1d7764dbf569a9a15832174225dda3c981062a
    • 11fc0f16f456946282c045a7de6d82b1da373e49de58ff9ad654336b2fb1bf0f
    • 130439d9b8a66117b05587c50710be9d35e765139086c73f9d2190a8602bfec5
    • 18bdfc5c088f91cced4ce7cc9c5318e6708d67d34795602ca16cd195c7cd6ee6
    • 192dd15885d20c08857696b166473222fe4530435571140f9d9533a18c8ddf02
    • 1e6891472de82be04e4cf9177bdc68b59b22e72aaef1d6a4aa31892463902f09
    • 2286ce89fd4613b3f2eb7b0bcdf3a522dae0e52cd090916eecf62101f583d048
    • 22bb1293cfd109d0b8bd44d410f379deb8c4d02b095552b8954c6a75e5bc9ae9
    • 22dd30e15c6d7dd29067bb53b4b150ebbc554252378849dcc9ae1970fa32cc1f
    • 23d1e476ab099fff5d1287553f6e7ba7e1c305273fe05cedb5ab6fe8b589705f
    • 24f3c1c8a602cba6c1d78da4d36b9ed4809df06f7a0fc600c00a857de66f3323
    • 250593c7b94207d44befaa3d457f7a064bb639b136156f84828499eb6c0cab97
    • 259c7d38efbbce4a257d81b0fce295e392df9871db5c20c2269fda075c8a1a92
    • 2aa9e690895bd08efe0bc1ea961e03f99fd366ac488464c1c7925523172cfaee
    • 2b22881fd9d6a6b9a5298d49a38e0a384908bcae5fa47f66cf598d9b5e4a3a60
    • 2c84f218b0bee656b281a78a690bbe205f7c5c9b77446b16594de4fcb57aa067
    • 2d99567edd88a1e416ace504bd53ee0d2ec066cb437b5e9bdad2e0df0f97c3c9
    • 2dcfcf26cc5e5eac92bab1c1aff23be2aa5b4ff7031e97f223e5f01733f0db89
    • 33e93041186f28aad4f1e1d35a964c64b8fc85e6ab91697403bc0855a1f8731a
    • 34827d5bafd27dbfb9bf7bb91fd92c4080bb6bbbf66d18aff59a4af25e53d73b
    • 376598891290376013cbd6b52aea997652384ff1c0f27ea513b1505820cb1e22
    • 3a0ea7cef74d93a40c10720357e7aef0967316239d1d8ea54dc0019dbc2c4d74
    • 3a8228f70497cc4d49992ef3fd29ffafd9da7dd9832464fa44b98793d0b19d5e
    • 3bf6f90de075923cf8293fc5c2bb4f2771c4692bbebd7729d75c3d9ba44269f9
    • 3ca2e33efbca17cd1ef1aa5152e7d84bb0bb2d597e70c7265f473fc2089d40ef
    • 3f16b1c889e2fcbbf96fb32693c712dc322b7c72e1092da42c5bddf079012610
    • 4047b864c37d3ae4c0a37375e302497ee575291c28255d8bb41d83f0d1cbbad1
    • 40c3aff7560f36a51e43f82c5f3370aa1b8b7488742c449e0f66c21f30537cde
    • 4224fcb79b6e63a774b4bddc9cb00179a63feee5462b885dc2b264094125a0b3
    • 428b7024a14e1e76c4fe208ac21d2b37abdea57f362dd448c487dfcfc74e890f
    • 42a06bea1a8b433334ad366d6725617e0324f242b6ee980785cc1218131f1cfd
    • 43b9aabc7eeb1bcf91613fd0ad714763f5c9c65cd876d1d69293e15af03d8fa6
    • 44e444fa117c502b123341d656070331a51e1b77f9248763a4a162412c0ced03
    • 482a0d6e274186c70435c4b3c198797c25b2b6657a0bf400090c7989bb87142f
    • 4bda1925f9a18e879eec373263b37ae20581403777bbdf899ca8ba1ae3cefbc9
    • 4e105f96511b17aab8bbf9d241a665b466e4d0c4dd93af83710ec6423ceb1b0f
    • 50aa8976ec692e058bc525d49465329c6380537f53669058d1542b94eef68128
    • 52b126783b654905df5b7bea881bc3f5be217eee7fe86c9f07be33a4c950aebb
    • 548a2ce5ca5f3f629cf524d360b32f4e04d21b57940dbb228c145ca871097c3c
    • 5842d4b3210c23fca22b69e34c146a48bfff0affc6313ee6fc45b8a3430d8f61
    • 5b1fdd5e3779798bddd5da83554c6439467078643344bafe0bd464f4012522b4
    • 5bb1d5270278636fb023b3f0723979929c059f4133c5b1261baf1f5d7badf19f
    • 6654a38cba97469680b916233fa9e3a2cf97a1f6f043def9c76a64fb285f32de
    • 67543367d8fda211437a189fcb2836a6e9dff3feb1857c4bcc30286f04fb7ff4
    • 67a46a7954361ad55be59ce6102d57659c4ca53790005f124953a836801ae86d
    • 68eae8d9e9801d1abccb39d3fd3b8f717829fae26627e53a8f6b5eb503c320be
    • 6bb1db6ccae5c31599543bad4d66af13c45cbcaffdfb26bdae1b8c142f5445b8
    • 6bd1f68f097c7ad45edbc1038b7ecdbaab7755c1f5dcd314f9d0c72905daf1da
    • 6c1bba12d0aa52b3cb797a2c601125b551e4209d17d3ab6a3340ecfeed3a2b93
    • 6c37e808baa98b5a247c555bb64d56d55fe2bafc49b1c279b7b396c5fd739937
    • 6c45602c1c35a68d5a070d9e4af6c11f87c813115f3463bfdc3c04c83f270468
    • 6d0d10d8197389db11c5d894a9da37f2ecfde174cd5aa8ac180a80bbff02c0d3
    • 6fc10a3cd47f8d5a77029b458c620a743f105b8b105b95babdc047269a01e05d
    • 72013b5ec3069a1f62b2b1e1baf22e5639b15eb673501d2887132434736f6500
    • 76ea3dae6b913f7baeef516dfc513c7d73c9edb8ff80e456aec98b8529850529
    • 77972c1847fc9608a484d72290b42de918074e33864fc3d5906d5e296c0cf725
    • 7a151b7d2205529e22b8e14c630356ff3348980d83a634c4bb333357cecaeb4a
    • 820832fd5c46c67d1913f023ec8dbe21e3e69d753af5e56b6c3088fd1c56ac6a
    • 8219230fc42e44321cdb0ff3bbcd3edd204e66b7d855b7f1cd6f555141a4deaa
    • 85d35e707e1870a1f250a26d919aea933be0db66ef95d2060c7ea2f3a63518c2
    • 86a237d0a5fac77fd8efda3a150cd1ce3ca2eb6afb5f1096f8f344864de799c2
    • 8b9eeb92cc9a37e862c59a0fa8afeb54a7be15de3a897c71f7f3f0c871662759
    • 8e8da1dd35fcb845d2beb3fcae2ad92520b9c7fcbfab05a1eed919f7a6b08fc0
    • 8f0133ee567962684876ea09deba6b25e4cf1e27e3fe23389758bd7065728346
    • 8f6d5f64adcfd32e74eaa3a9e376385c59f7ce41d0cb215e0d22b6f44235c0e9
    • 9519045db67aaa9a713e39d47787d59e7b4df67ae99fd5dbaa98ad8679ae3d9c
    • 955d59e66e24b4585dd044b1576f03ff0e6d8306397766420806979475eededd
    • 97489f14edf02081943ba6bdc4f8ddc61b489c2d114eff2fc560f6225f3c8907
    • 9bcf6185b2a46d17bbe247e5c33586eb8eaec7eefa385cd5a6ea3058a145faad
    • 9d2cb014ef6a4d99fcd11a3ba9077d4846af8cc83cc68a750fd87ba209a200b0
    • 9ee1e7d2e45509c0214ace51b05b3785d57be57a098abd5b55b447770d14629d
    • a487f2535ae50af16fa5eb852968fbd40543842009f1fd6790f194cad96b8b76
    • aa22a09ab200d4f75c1661201560831a26d575137c4c4ae454f7a438d590d459
    • aa6e5b1d271c955596b36671d729837bfa0162cf71c0f1d7649475dc5440a12c
    • ab4d15596adb228e4e1cf74fb07797fc219222da9892830d7fcc5ad82c713507
    • abe03a6f900f0bf57ca6385013cc828354732f08b961bbf1dad5d0126e4e78bc
    • add4e403e0a508a08f82e74e6079fbed86cf2f31f47db61697efbc6d52c72a99
    • b2a1d41b23011262e9ad3557485fcbd6ef3cab71d74e6df1965c93c5bd85ddd4
    • b92e653d98b47517287e2e5e231705988fe45c4ab2b549ee36ed59dabf8e7f17
    • bcb00b6f67396126e1c2f0edd745e3589d10aeae0f744161d6c576312affdd96
    • bd97cd47caf2c1d33964b38a8113fd9fc35f5ac557b69c7abe27da7bfd04c77f
    • c44f65a7af5bda38bd243ccb9183aee20bb918bc5cc8ada8d78623f7ccde85cb
    • c5ec102aa7fe27ca05d4fe532c79fbb1e623fed6273eb00f46e792a4e267a3ef
    • cb34aabdfeeabf0bb1e68bc798744c3e975d336b540d0b8faf7b96af41b3410c
    • d48a23e5e34c5733af48485cf77223f825557bd8aeab349f805550b5d8e3cacc
    • dba362bc8a4a2e46ba1e4bb3ac851a32b23ff33765cce8cf45a3c2e28a0ab7bc
    • e468618f7c42c2348ef72fb3a733a1fe3e6992d742f3ce2791f5630bc4d40f2a
    • e4acd07330916aab8e489e987c091d859810df3e6d9e17f8165473256519a427
    • e7fd926110b80a3498b7d06672df208e9d46b942e08b230af773508abaff6643
    • e90fe814adf85a4706c585237c7877139f6bdf9b08e5c21442f93e081c07797a
    • ef61a66ace3a55845863b6aee7da8676fe741ded0d6b0dea2952a31915dc978d
    • f088a5262f3d113f2eb373b083d6167729fb724980b9d187bd4c2124bb60e14c
    • f4e43a4ef567bf7f3c057478f6eaefb62f7ef57e76bce2275e3eb536be942480
    • f550bd94aa1f22989b4f3057f862af428dd5e8f8db7ff945f1b43aca83706e53
    • ffb6ba6e8f545b4a349d5dc8de18933d2036536135dc6b9718caec3050146baa
    Please note that all of the above samples are available for download from InQuest Labs.
    field-notes labs deep-file-inspection